HttpBearerAuth with preflight request

[myc0210]

Is there any proper way to get rid of preflight OPTION request when i add authorization in http request. Now my work around is by making a component which extends HttpBearerAuth class and override authenticate function adding following line before the original code

if($request->getIsOptions()) {
    return true;
}

This works but i want to know whether there is a simple and correct way to handle this...

[klimov-paul]

Add 'options' to except, when attaching filter:

public function behaviors()
{
    return [
        'bearerAuth' => [
            'class' => \yii\filters\auth\HttpBearerAuth::className(),
            'except' => ['options']
        ],
    ];
}

[yujin1st]

This doesn't work as OPTION is type of request, that browser sends on the same url as original request

[cebe]

have you seen http://www.yiiframework.com/doc-2.0/guide-rest-controllers.html#cors ?

[yujin1st]

Yes, i've done exactly as in documentation. "Except" skips only action ids in \yii\base\ActionFilter

[cebe]

I meant the order of Authentication and Cors filter. Cors must be before Auth to handle the OPTIONS request.

[yujin1st]

Order is correct, but Cors filter doesn't send back response immediately, authentication is checked anyway.

[cebe]

@yujin1st you need an action that handles the options request then, which is excluded from auth. That is what @klimov-paul propsed.

[yujin1st]

It seems i misunderstand processes:
As i digging into \yii\rest\ActiveController, i see it has an predefined action yii\rest\OptionsAction for such request, and it works fine, but i can't understand where OPTION request for any actions transforms into 'option' action?

How should i do such thing for my own rest controller (not activeController)?

[cebe]

This is done in yii\rest\UrlRule. See http://www.yiiframework.com/doc-2.0/guide-rest-routing.html